The Disturbing Rise of Cyberattacks Against Abortion Clinics

Share

The Disturbing Rise of Cyberattacks Against Abortion Clinics

HOTLITTLEPOTATO

Fatimah Gifford was nervous the day she was scheduled to testify in front of Texas’ Health and Human Services committee. Gifford is the VP of Communications for Whole Woman’s Health, which operates five reproductive healthcare clinics across Texas. This wasn’t her first time testifying before the state legislature, but it was her first time testifying about abortion.

“I entered into this with eyes wide open, and knowing that I was more than likely going to be devoured up in there,” she says.

Given her job, Gifford is no stranger to high-pressure environments, but she was unprepared for what came next. She slowly walked to the podium, introduced herself, and read her testimony against House Bill 2, a sweeping piece of legislation that laid out some of the harshest abortion restrictions in the country.

When she finished, a committee member laid into her. He denounced her for marketing and promoting abortion, and criticized the organization’s website for its professional appearance because it helped “sell” abortions. He also read the organization’s URL— www.wholewomanshealth.com—out loud.

“It was like he mockingly invited people to go to our site and mess with us and made sure our web address made it into public record,” says Amy Hagstrom Miller, the founder and CEO of Whole Woman’s Health. Which is precisely what happened.

Later that day, Whole Woman’s Health noticed a surge in hacking attempts through routine monitoring of web activity. A few days after, the staff couldn’t log into the website. One of the intrusive efforts had succeeded, and shut the website down for a week.

It was just the beginning of the onslaught of cyberattacks that Whole Woman’s Health would experience between June 2013 and April 2016, as the organization continued to fight a legal battle over abortion that went all the way to the Supreme Court.

The battle lines around abortion in the US have been clearly drawn for decades. Protesters, ranging from handfuls to hundreds, stake territory outside clinics to pray, wave signs, and yell into loudspeakers. On the legislative front, politicians have enacted hundreds of Targeted Restrictions of Abortion Providers laws since 2010 that make it difficult for women to access abortion care, and cause clinics to close down.

Over the past few years, though, a new front has emerged that many reproductive healthcare organizations struggle to deal with. Cyberattacks and threats, as well as internet harassment, have escalated, aiming to disrupt services, intimidate providers and patients, and prevent women from getting the care they need.

After the initial attack, Whole Woman’s Health hired a cybersecurity specialist to remove the malware and repair the damage that had been done. Still, Hagstrom Miller says, the site suffered more than 500 hacking attempts each day in the wake of Gifford’s testimony. About a month later, hackers found and exploited a vulnerability in the Whole Woman’s Health blog, which gave them a backdoor to the entire website.

The second successful attack shut down the site for a month. Without it, potential patients were unable to find the clinics, make appointments, identify hours, locations, and services provided, and ask questions.

“The damage was awful,” Gifford said. “Our phones literally stopped ringing. It was devastating. Most of our patients find us online, so with no website and no Google advertising, it made day-to-day awareness nearly impossible.”

After that attack, Whole Woman’s Health switched to a more secure hosting provider, and rebuilt every single page on its website, around 100 in all. These measures allowed the organization to better track the cyberthreats as they came in, but didn’t stop them. As Whole Woman’s Health continued to speak out in support of abortion rights, hackers continued to strike.

On April 2, 2014, the Center for Reproductive Rights filed a lawsuit on behalf of five Texas clinics challenging HB2, and Whole Woman’s Health became the lead plaintiff. The case wound its way through the lower courts until the Supreme Court issued its decision in 2016. Throughout this multi-year process, Hagstrom Miller emerged as an outspoken advocate for reproductive rights. Every time she went on MSNBC or CNN to talk about the case, Whole Woman’s Health experienced a surge in hacking attempts. In one subsequent attack, hackers rerouted visitors to Whole Woman’s Health website to a pornographic page.

“It was not only not a landing page, but it took you somewhere awful,” Hagstrom Miller said. “I remember being mortified.”

The high-profile of Whole Woman’s Health may have made the organization a unique target, but anti-abortion cyber warfare is part of a larger trend. While hate speech and online harassment have long plagued abortion providers—including over 42,500 incidents of hate speech in 2016 alone, according to the National Abortion Federation—actual hacking represents a serious escalation. Even organizations like Planned Parenthood, which have significant resources and manpower, struggle to prevent attacks from a loosely organized but determined group of “hacktivists” and extremists.

In July 2015, Planned Parenthood’s website was hacked shortly after the Center for Medical Progress, an anti-abortion group, released secretly recorded (and discredited) videos doctored to make it seem like Planned Parenthood sold fetal tissue. The same attack also targeted the National Network of Abortion Funds and the Abortion Care Network.

As reported by the Daily Dot, a group called 3301 claimed credit for the hack, and said they used a Blind SQL injection, in which an attacker queries a database in hopes that the response will reveal information or vulnerabilities.

"Here we are, the social justice warriors, seeking to reclaim some sort of lulz for the years and thousands of dollars that Planned Parenthood have wasted and made harvesting your babies," 3301 wrote on its site. The group then published the names and contact information for more than 300 Planned Parenthood employees online.

These types of leaks can create real-world danger. Abortion providers have a long history of being stalked, assaulted, harassed, and murdered. In communities that are hostile to abortion, it’s not uncommon for staff to hide what they do, drive different routes to work, and take great pains to hide their identity. Doxxing can put their lives at risk.

David Cohen, a professor of law at Drexel University and the author of Living in the Crosshairs: The Untold Stories of Anti-Abortion Terrorism, says extremist anti-abortion groups have used tactics like this since the early days of the internet, but the vulnerability landscape has broadened and diversified. Now, for example, the risk of data breaches (which enable doxxing) is greater. According to the 2016 National Clinic Violence Survey, published by the Feminist Majority Foundation, 13.9 percent of clinics reported that information and pictures of doctors were posted on the internet.

“The antis have been using every tool at their disposal to go after abortion providers and clinics for as long as they have been doing this,” says Cohen. “A lot of clinics did not have a website before five or ten years ago, so the antis were not going to hack anything because there was not anything to hack. As technology spreads and becomes more sophisticated, we are seeing attacks from every angle.”

Hackers targeted Whole Woman’s Health and Planned Parenthood because they are prominent, nationally recognized organizations that advocate for abortion rights, but the threats can be localized as well. Calla Hales is the administrator of A Preferred Women’s Health Center (APWHC), which operates four abortion clinics in North Carolina and Georgia. The Charlotte location attracts protesters that can number in the hundreds every week, and Hales said they are besieged by hacking attempts as well. APWHC recently experienced a DDoS attack that shut down the company’s internet and phones. Hackers have shut down the website on multiple occasions as well.

“It happens pretty regularly and we have had to spend way too much money to fix it,” Hales says. “To be honest, I’m surprised by how tech-savvy they are.”

But Craig Petronella, a cybersecurity expert who focuses on the healthcare industry, says that it’s relatively easy these days for any “motivated group” to wage a cyberattack, whether it’s through malware, ransomware, a phishing scheme, or a DDoS attack.

“Anyone that knows how to type a word document or a simple email can go on the dark web with malicious intent to find what they are after,” Petronella says. “The simplicity of it is scary.”

Organizations without strong protections in place face proportionally greater risk. Many hospitals, clinics, and private practices operate on older technology and equipment and have limited resources to devote to state-of-the-art IT.

“Healthcare is such low-hanging fruit,” Petronella says. “Hackers know their defenses are weak and they are limited on budget, without a lot of sophistication with cybersecurity. They also know that a healthcare practice needs their computer systems and are sensitive to downtime. They can do a lot of damage.”

Providing abortion services further adds to a clinic’s lure as a target, and because the attacks happen online, people can participate anonymously and from afar. Hales and Hagstrom Miller may recognize the protesters who show up outside their clinics everyday, but they have no idea where the cyberattacks are coming from.

There are also rules in place for dealing with human protesters that don’t carry over to online interference. The FACE Act prohibits people from trespassing on clinic property and blockading entrances, and law enforcement is supposed to intervene when protesters violate those laws. It’s easier to catch someone who breaks in and physically smashes equipment than a hacker who shuts down a system remotely. Cyberattacks are illegal, but notoriously difficult to police.

'As technology spreads and becomes more sophisticated, we are seeing attacks from every angle.'

— David Cohen, Drexel University

And then there are the threats that exist in gray area. APWHC does not have Wi-Fi, because they ask their patients to stay off their phones for privacy purposes. Hales said one local anti-abortion group sends over a van that parks outside the clinic with a Wi-Fi node that broadcasts a network called Abortion Info. When patients connect to the network, they are taken to a website that looks like APWHC’s, but isn’t.

“People automatically log in and the website looks exactly like our website,” Hales says. “It has all these cartoon videos that say things like ‘I’m going to stick in the speculum and rip the arm off.’ It’s creepy as shit.”

Geotargeting is another example. In 2016, a mobile advertising and marketing firm called Copley Advertising was hired by RealOptions, a network of crisis pregnancy centers (CPCs), and the evangelical adoption agency Bethany Christian Services, to target “abortion-minded” women in Planned Parenthood clinics with anti-choice messages. Beyond the nuisance factor, the action raises legitimate concerns about anti-choice groups gaining access to personal information about patients, and sending them unwanted messages.

Massachusetts recently banned this practice, but it demonstrates how the anti-abortion movement has embraced digital tools can to circumvent barriers they face in the physical world. They may not be allowed to walk into a clinic and hand out pamphlets, but they can distribute the same information to the same women in the same place, via their phones.

Hacks and other digital intrusions now make up part of the anti-abortion landscape. The structure of the attacks may differ from their real-world counterparts, but the goals are the same, and the threats they pose to providers’ capacity to do their jobs and deliver care are just as real—even if they don’t happen on the ground.

Prevention, however, can be tough. Clinics and organizations often don’t take steps to boost their cybersecurity until after an attack has hit, but at that point, it’s too late. It took multiple successful hacking attempts for Whole Women’s Health to make the necessary adjustments.

“After being targeted so incessantly over a short time frame, we knew immediately that we needed to develop and employ an internal system in which we closely monitored the site,” said Gifford. “So we got an additional layer of website security and on a daily basis, we log in to the website to make sure that all security plug-ins are up to date and that nothing has been compromised.”

The attacks against Whole Woman’s Health have since subsided, but who knows when they might strike again? There is no such thing as “perfect” cybersecurity, and with no known hacking-related arrests, clinics are pretty much on their own—forced to funnel resources that could go to STI testing, contraceptives, subsidized care, and yes, abortion access into fighting faceless, nameless, enemies whose health and wellbeing are not on the line.